The user can define what strings must be discarded from difference files. String search is case-insensitive.

With that changes the part of the program comparing differences between 2 sandboxes is, at least at the moment, finished. I don´t plan adding new features to this part, only fix bugs if any is found, but if someone suggests an interesting feature I will be glad to consider adding it.

Now I will start working in the part of the program that analyzes all the differences and evaluates if taken actions can be considered as suspicious.

My final goal is to create a report listing all the actions that were considered suspicious, if any, and give an evaluation based on them. For this I must create a list of suspicious actions and assign them a "malicious ratio".

Finally the analysing module would say that analysed program(s) has a "low", "medium" or "high" risk of being a malware.

I say it now and I would like to don´t have to repeat it very much: Nobody can expect 100% accurate results, probably not even a 1% in some cases.

Some malwares will detect Sandboxie is running so they will abort operations. In such cases the analysis will be useless.

Some malwares don´t start malicious actions inmediately after being run. Again, in such cases the analysis will be very probably useless.

Some malwares (backdoors mainly) just open a port and wait for an incoming connection. It´s very risky to evaluate a program as malware just because it opens a port.

People should know that in malware analysis, the automatic processes can not be compared to the human analysis, specially when it´s done by experts. I´m not an expert coder, malware analyzer or similar. SandDiff just pretends to be an orientative tool.

There are no malware actions "per se", so I can not say "this program is malware because it did this or that". E.g. A malware may add itself to an autorun registry, but legit software may do it too.

It´s the user who must, in last term, evaluate if the analyzed program should be doing certain things or not.

Building a list of malicious actions will take time. I will wait for tzuk to release a Sandboxie version including the message logging feature as it will be a very important part of the analyzer. Therefore there will not be new version of SandDiff for a while.

Meanwhile test as much as possible the current version and send your feedback!